Monday, March 11, 2013

Cyberwar: you lack imagination

Is cyberwar real? That’s a stupid question. Here’s a better one: can you describe what’s happening without using the word “cyberwar”?

Chinese espionage stealing defense secrets is real. That the power grid is wide open to the Internet and vulnerable to hacker-caused power blackouts is real. Computers/Internet used on the battlefield is real. I have first hand knowledge of all of these, I can confirm them.

Yet, at the same time, the conclusion people come to isn't real. Cyberwar has become a war of words and ideas, not of evidence and substance.

Is Pluto a planet?

People debate names (what they call things) because they want to shape your views of the substance. Take Pluto, for example. It was, until recently, the ninth largest body orbiting the sun that we knew about. Even though it’s much smaller than the others, it made sense to group Pluto with the eight biggest objects. Then we discovered other bodies that are Pluto’s size or larger, making the logical grouping look different. With our greater knowledge, it makes sense to group Pluto-like "trans-Neptunian objects" with each other, and not with the big eight inner bodies. Even the big eight have two logical groupings, the “rocky planets” of Mercury, Venus, Earth, and Mars, and then the “gas giants” of Jupiter, Saturn, Uranus, and Neptune. This is the substance, what we choose to call a "planet" or "not a planet" is irrelevant.

But the astrology-industrial-complex is upset. For the past 50 years, they’ve had a vested interest in calling Pluto a planet. They lobby to change the definition of "planet" back in order to protect their interests.

Take hurricanes as another example. Consider “Sandy”, that huge storm that hit the United States east coast last year, causing massive power blackouts. Was it a hurricane? Here’s the deal: insurance is written based upon the official designation by the government. If the government calls it a “hurricane” then insurance companies can pay less. Therefore, the National Weather Service intentionally did not call Sandy a hurricane, in order to force insurers to pay more to homeowners. Conversely, the greenpeace-industrial-complex wants to call every storm a hurricane, to heighten people’s fears of global warming caused disasters. Such wars of words matter to people.

Cyber APT1

Now let’s talk “cyberwar”. Like “planet” or “hurricane”, people are fighting over the connotations and higher meanings while ignoring the substance. Let’s talk substance.

The substance is that China is conducting unrestricted, asymmetric warfare against the United States. “Cyber” is only one part of the bigger picture. It’s the way the Chinese government subsidizes cheap telecoms equipment from Huawei or ZTE for third-world countries in order to secure oil trade deals. Part of these subsidies are outright bribes to government officials in those countries. In contrast, the United States has laws against bribery, and trade restrictions preventing companies from selling to some third world nations. As a consequence, the developing world is moving out of the United States orbit into the Chinese orbit. One day, the second language in Africa may become Chinese instead of English.

Cyber espionage is part of this unrestricted warfare. But the question is this: how much of that espionage is controlled and directed from the top? Another question is: how much of this espionage is purely "cyber"? The answers to these questions are murkey.

From the top, China sets goals. It may decide that in the next 10 years it wants to become the leading supplier of turbine engines. It then figures out what it needs in order to accomplish that goal. It’ll need a supply of titanium from Russia. It’ll need to setup factories in Guangdong. It’ll need to greatly expand it’s training of turbine engineers coming from technical universities.

What if you are a Chinese aeronautics professor tasked with expanding the turbine engine program at your university? How do you teach your students the latest cutting edge technology? Well, you go read papers on the subject published in the United States. You then grab the author’s email addresses. You send them e-mails saying “I enjoyed your talk at Xyz Conference. I was wondering if you had any comments on this paper I’m writing”. You attach a PDF document with an exploit (written by a student in CompSci). The recipient downloads it, gets pwned, and has all their research stolen, including the latest stuff funded by Lockheed.

This “spear phishing” as it’s called is the most basic attack on the Internet. Teenagers do it. Technically, it shouldn't matter what you call it, but people fight over words anyway. If you call it “basic teenager attacks”, it implies one sort of response by our government. If you call it “state-sponsored APT cyberwar”, it implies a wholly different sort of response.

And that’s where the word “cyberwar” comes from. It’s a word coined by politicians, generals, and CEOs of the military-industrial-complex that wants to convince you that you are powerless against state-sponsored hacking. If it’s cyberwar, then vote to give them more power to defend you. If it’s teenagers, well, then the Generals don’t get as much power, do they?

What’s funny is you are indeed powerless, because the U.S. government has made you so. You can’t sell your telcom equipment to Africa, because the U.S. government has outlawed bribing foreign officials. You can’t defend yourself against Chinese hackers, because U.S. law forbids you from hacking them back. You can’t even secure your network the best way you think is right, because then government regulators will come in and fine you for not doing it their way.

By the way, I've been on the investigative side for several really sensitive hacks by the Chinese. The threat of "Chinese hackers" is very real -- it's just the conclusions these people reach aren't real. If you stopped all the "Chinese cyber", the espionage would continue unabated.

Cyber blackouts

All this talk of hackers has gotten people really scared. It has become the “null hypothesis”. When something bad happens, like a power blackout or an airline crash, one of the first questions people ask is “are hackers responsible?”. That hackers are involved becomes the assumption until proven otherwise. A good example of this was the recent superbowl football game. Hackers were the prime suspect until the real cause of was found.

There is not a single documented case of hackers causing a blackout, or knocking a plane out of the sky. Yet, this has become the default explanation for everything, much how 500 years ago, “witchcraft” was the default explanation for anything you didn’t understand. and Josh Corman had a fun talk at Brucon last year where they pointed how the leading cause of power blackouts is, in fact, squirrels. They documented the enormity of the problem. They painted a clear picture how it’s squirrels, not hackers, that we need to be mortally afraid of, that we need nation-state action to stop. (Maybe I exaggerate).

While humorous, they are a bit wrong. Random failures aren’t as important as intentional failures. The 9/11 attacks caused minor damage and minor loss of life overall. Almost anything was worse, such as car accidents. But we freaked out because it was all at once concentrated in one place. Likewise, while squirrels might cause more power outages in the year when hackers do attack, the coordinated aspect of hacker outages would still be worse than the squirrel outages.

So cyber is more of a threat to the grid than what claims, but at the same time, is right, that it’s much less than what the United States government claims.

We have 10,000 companies involved in power. We don’t have a single grid but many grids that are somewhat interconnected. It’s broken down by regions, then by states, then by areas (usually related to cities) within the states. Some companies generate power. Other companies carry it long distance. Yet other companies distribute it to your home/factory.

If China wanted to cause a massive blackout, then cyber isn’t the way to do it. Some countries have centralized bureaucracies that run their power grid, and thus, have a single point of “hack” that can be used to shut off the entire country. The complexity in the United States means we are different, that you can’t throw a single switch to turn it all off. Instead, you’d need to lay the ground work for years to prepare for a massive blackout. You’d likely get discovered long before you reached your goal.

A far easier method is bombs and bribery. Cut a few wires, blow up a few long distance lines, and you could create a much more effective blackout than with cyber. The physical infrastructure is just too big for us to adequately protect. We don’t even try. Instead our policy is deterrence, either police stopping small actors, or our military stopping big ones.

Our government use analogies like “cyber Pearl Harbor” or “cyber 9/11” to scare us about the potential of such disasters. But the reality is that both Pearl Harbor and 9/11 were relatively small tragedies. The real lesson to learn from these things is what happened afterwards: all out existential warfare that utterly destroyed the perpetrators. If China caused massive power blackouts in the United States, 10 years later either China or the United States would cease to exist.

By the way, I use "bombs" as an example because that's how I'd do it. I'm actually one of the foremost experts on hacking the power grid. I've discovered wormable buffer-overflows in the ICCP protocol that should scare the heck out of you. Even for me, the way I'd choose to cause havoc is still with bombs rather than cyber.

Cyber battlefield

Now let’s talk the battlefield. While everyone is talking about Chinese espionage and power blackouts, actual “cyber” in the battlefield has gone unnoticed.

Hundreds of years ago, advanced Europeans colonized Africa and the Americas by pitting advanced technology, guns, against primitive technology, spears and arrows.

Today, we do the same thing with “cyber”. Whether it’s GPS, drones, mobile phones, or anything, we leverage computers and networks to the hilt. Simple e-mail has become a potent cyber-weapon in today’s conflicts.

For example, both sides make heavy use of mobile phones. They (the enemy) might make IEDs that are triggered by dialing a mobile phone. So, when our convoy goes through a neighborhood, we might DoS the local cell tower with bad SMS packets taking it down, preventing them from dialing phones. Sure, we could also jam the frequencies, but the cyber way works better. I’ve got the “Electronic Warfare 101” textbooks, they are woefully incompletely on the effectiveness of buffer overflows against cell towers. By the way, I use this analogy because we at ErrataSecurity have DoSed a cell tower crafting our own SMS packets – I’d be astonished if our military wasn’t doing this on the battlefield.

In Afghanistan, family compounds have satellite TV and Internet. So we hack their WiFi to eavesdrop on communications. We get their e-mails, we discover their plans, and we thwart them.

Here is our battlefield military doctrine: maximize our use of cyber, minimize our vulnerability to cyber, deny the use of cyber by our enemies. This is real cyberwar, happening right now on the battle field as you read this, yet nobody talks about it, because they actually want is a word to scare you for their cause.


Narrow minded people construct a narrow definitions of "cyberwar" to conform to what they believe, and what they want you to believe. All these uses of "cyberwar" require you to ignore the broader picture. There is so much more going on than what these people are talking about.

Recently, a company called Mandiant released a report on "APT1". It had a lot of good information, and much of it is undoubtedly true. But at the same time, much of it is guesswork, and it totally fails to capture the bigger picture. It fails to capture the larger Chinese industrial policy. It fails to capture the simplicity of the vast much majority of Chinese hacks, and how they fail to be as "advanced" as advertised. It's written as if by government bureaucrats designed to scare you into voting for more laws to protect you against the Chinese cyberwar threat.

Stories about hacking critical infrastructure are just that: stories. They are based on movie plots rather than hard evidence. If you want to attack infrastructure, there is so much more that could be done than just cyber.

At the same time, everyone is ignoring the fact that "cyber" is actually being used on the battlefield, from vaguely cyber-ish things like drones, to actual hacks against vulnerabilities. Nobody talks about this cyberwar because they want to talk about the other cyberwar.

I spend a lot of time "debunking" cyberwar. It's not because I think there isn't a problem, but because I think your definition is a narrow minded self-serving one. How you are using that word doesn't jibe with all that I've experienced. If you've got substance/evidence, talk about that substance rather than hyping silly words like cyberwar.

This post is written in response to this debate by Dan Holden and Jericho from My point is this: debating abstract concepts like "cyberwar" is a strange game whose only winning move is not to play. Instead, debate the specifics. Jericho has some good specifics from his BruCon talk, Dan has a lot of specifics he can't talk about, which I guess is his frustration of "what I know doesn't match what you people are discussing".


Guy Rosario, ITIL said...

Sweet post, Dude! May I have permission to re-post this in LinkedIn?

Cheers from Canada!

Ben said...

Can you please elaborate on your first-hand knowledge of "hacker-caused power blackouts"? Do you have specific, actual examples? Something tangible? Or is this just more wink-n-nod hyperbole? Pentests/red teams don't count, unless they caused an actual blackout. Having specific examples would be very helpful in discussing the issue with people in the sector. TIA!

Security Leaders Group said...

It may come as a surprise to many but your take on cyberwar is the same as mine Rob. When I talk about cyberwar it is only in the context of how militaries and nation states are leveraging computers and networks to enhance their war fighting capability.

Robert Graham said...


It's from pentests, and they do count when weshow coming in from the Internet and gaining complete control over ALL the computers that control the power grid (well, the part of 'grid' that belongs to our customer). I documented, as best I can considering it's confidential information, back in 2006 many such experiences, and linked it in the post.

Ben said...


I appreciate where you're coming from and what you're saying, but the old guard seem unimpressed with POC pentests. If the lights don't go out, causing them to lose revenue and get fined by PUCs, then it might as well not have happened. As I said, pentests don't count.

Also, you specifically said "hacker-caused power blackouts" - which seems to be an overstatement on your part. You've demonstrate how easily to can be done, but if I'm reading you correctly, you stopped short of that final step. It's a shame, too... I know, jail time is undesirable, but it would have been a heck of a way to make the point... :S

Thanks for the follow-up!

decius said...

My response to this exceeded the maximum character count for your comment system, so I posted it on my blog:

Anonymous said...

If the only way of proving that a crime/misdemeanor can be committed is by actually having to commit it, then security has suddenly become a dangerous job. If people fail to listen, either the documentation was not written for them or they are the wrong people to talk to.

Ben said...

It's basic human psychology... people change because they want to (rare) or because they're forced to by trauma/pain. From a business perspective, it seems that they don't want to change, and they've simply not felt the pain yet. *shrug* The unfortunate thing is that when they feel the pain, millions will feel the pain...

Anonymous said...

That's a big dillemma. I do get what you mean. But I still think that in such cases the reports are written for the wrong people. Why would one pay for a test to find flaws and then choose not to believe the results? Only thing I can think of is they wan't tested that one cannot enter the system. Not that someone can. I reckon awareness and involvement are the real issues then, right? It's a pitty that to proof one can switch of the power, one must do so. Wouldn't that be considered a terrorist attack by the way? Maybe they don't want you to rock the boat. If they do not know how to take measures yet, they better not yell.

DDoS Protection .Net said...

Robert, that post made me think a lot. Cyberwar is definitely everywhere today. It cannot be publicized like real world conflict, it's the only reason why it's not being talk. It's a silent war.

Jeffrey Carr said...

Excellent article, Rob. Very well said.